WhyNotWin11.com is not owned by Me

[sanny-io]

https://www.whynotwin11.com

https://i.imgur.com/6Rlz443.png

I haven't seen this mentioned anywhere. Is this from you @rcmaehl? The download link currently points to this repo's releases, but they might be trying to lay low for a while before switching it out 👀

[rcmaehl]

This website is not owned, operated, or affiliated with me. I'll see if I can get contact information via WHOIS or another means but definitely sketch. It's my fault for not buying the domain

[rcmaehl]

Hopefully this is someone trying to be helpful but I'll be reaching out to legal council and will make a case if this becomes an issue.

[krystian3w]

Maybe some hosts project ban page:

https://github.com/StevenBlack/hosts#list-of-all-hosts-file-variants https://github.com/StevenBlack/hosts#sources-of-hosts-data-unified-in-this-variant

then may no load with NextDNS on default setup.

[krystian3w]

@yuki2718 can by marked as badware risk this commercial domain? like these: https://github.com/uBlockOrigin/uAssets/issues/1738 https://github.com/uBlockOrigin/uAssets/issues/3060

@spirillen fyi

[rcmaehl]

The Reddit Account of the site owner has been found but has been inactive for a couple hours. The situation will be updated as it progresses.

[Yuki2718]

@krystian3w Need evidence the site is actually malicious or dangerous for us to block.

[rcmaehl]

@Yuki2718 I believe it's evening time for the current owner, however I've contacted them via several methods and are awaiting a reply. I'll keep you informed if anything changes.

[spirillen]

Thanks for your consideration @krystian3w

However, I do not currently see any threats from the domain, however I do believe there are missing a very very important disclaimer about the non-relation to @rcmaehl

If we are scouting the site source code we will find that it yet another wp site and the biggest threat is google, facebook and nocookie.net

When all this said, yes it is ort that all traces of who owns this domain end in a closed reddit account

My conclusion

If things on the site change, yes it would be added, as there currently are nothing dangerous on the site, i would leave it as it is. It appears mostly like a friendly spider :space_invader: who helps spreading the word. and the DL links should be monitored and the domain owner should should contact @rcmaehl

HTML decoded

```html

[pixeye33]

Since it's not mentioned by anyone yet...

The link to the .exe is no longer pointing to this repo's releases.

The .exe that the website offers does not have the same sha256 signature as the one found in releases (site says it's 2.2.2, i've compared only to this one).

https://www.virustotal.com/gui/ did not find anything.

[spirillen]

True...

a class="maxbutton-1 maxbutton maxbutton-download" href="https://www.whynotwin11.com/WhyNotWin11.exe"><span class='mb-text'>Download</span></a></div>

This makes it a malicious site., Thanks for the update @pixeye33

[rcmaehl]

This is a comment to provide verification of the @WhyNotWin11 twitter account

[pixeye33]

Correction : exe metadata says its 2.2.4 and the sha256 actually matches the one on the repo...

(for now, is what i implied)

[micwoj92]

Correction : exe metadata says its 2.2.4 and the sha256 actually matches the one an the repo...

Still, it makes no sense to rehost file (with wrong release number) It probably mirrors the link from readme https://github.com/rcmaehl/WhyNotWin11/releases/latest/download/WhyNotWin11.exe

[rcmaehl]

@Yuki2718 situation has changed a bit. I can understand if you're still hesitant, and I'll tag you in any additional changes, but it appears they're specifically trying to hide the fact of the .com banner warning.

(Which is gonna be a bit hard to do if anyone checks for updates on the app.)

[rcmaehl]

Yep, the guy purged information about the owner and the placeholder pages where I had attempted to contact him. I'd rather not involve council butttttttttttt

[JourneyOver]

Going through the persons reddit posts (if I am looking at the correct person that is), it looks like they have done this type of stuff before with other things as well, so I wouldn't expect much from them as it looks like they are just up to no good and just taking advantage again of a popular application.

[rcmaehl]

Going through the persons reddit posts (if I am looking at the correct person that is), it looks like they have done this type of stuff before with other things as well, so I wouldn't expect much from them as it looks like they are just up to no good and just taking advantage again of a popular application.

They have a few accounts ranging between 5-7 years old. All Generic Middle East names.

[JourneyOver]

They have a few accounts ranging between 5-7 years old. All Generic Middle East names.

Ah the only one I've run across so far that has any mention of the website so far is an account named "chardasyaal", but makes sense that they would have multiple accounts. Hopefully you can get the site shut down :/

[colenh]

i contacted namecheap via a ticket to report abuse. hope this is solved soon!

[spirillen]

I'll be surprised if you can get the domain down.

But what I can't understand... Why are they putting up that domain, hosting an exe (Currently same sha256/md5).

What is there attempted gain here?? there are no banners/ads or severe tracking/spyware (Yet)

But what confuses me more is there usage of a complete WP setup for one page which could be written with have the bits for the frontpage, and not to mention the entire backend (db/wp-code, etc).

[rcmaehl]

I'll be surprised if you can get the domain down.

But what I can't understand... Why are they putting up that domain, hosting an exe (Currently same sha256/md5).

What is there attempted gain here?? there are no banners/ads or severe tracking/spyware (Yet)

But what confuses me more is there usage of a complete WP setup for one page which could be written with have the bits for the frontpage, and not to mention the entire backend (db/wp-code, etc).

All I really needed from them was "Hey, I'm X. I'll be sure to keep it the latest build and note that I'm not affiliated somewhere on the page". I would have grabbed the .org anyway (and now have, DNS please propagate)

[spirillen]

Not the fasted response I ever seen... but voila

drill -T WhyNotWin11.org
.       518400  IN      NS      l.root-servers.net.
org.    172800  IN      NS      a2.org.afilias-nst.info.
whynotwin11.org.        86400   IN      NS      lennon.ns.cloudflare.com.
whynotwin11.org.        86400   IN      NS      martha.ns.cloudflare.com.
WhyNotWin11.org.        3600    IN      SOA     lennon.ns.cloudflare.com. dns.cloudflare.com. 2037648737 10000 2400 604800 3600

drill WhyNotWin11.org ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 43118 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;; WhyNotWin11.org. IN A

;; ANSWER SECTION:

;; AUTHORITY SECTION: WhyNotWin11.org. 3600 IN SOA lennon.ns.cloudflare.com. dns.cloudflare.com. 2037648737 10000 2400 604800 3600

;; ADDITIONAL SECTION:

[JohnPlanetary]

So I'm guessing the banner will be updated to state that only whynotwin11.org is the official address, and will no longer list any new fake domain, since people can just keep creating new fake domains.

[xmflsct]

https://www.whynotwin11.com/index.php/feed/ Hosted on cloudways?

[rcmaehl]

So I'm guessing the banner will be updated to state that only whynotwin11.org is the official address, and will no longer list any new fake domain, since people can just keep creating new fake domains.

YEP

[iam-py-test]

https://www.whynotwin11.com

https://i.imgur.com/6Rlz443.png

I haven't seen this mentioned anywhere. Is this from you @rcmaehl? The download link currently points to this repo's releases, but they might be trying to lay low for a while before switching it out 👀

Please edit your comments and put the domain in ` so it is not linked (maybe also add a [.] after the www)

[micwoj92]

https://www.whynotwin11.com https://i.imgur.com/6Rlz443.png I haven't seen this mentioned anywhere. Is this from you @rcmaehl? The download link currently points to this repo's releases, but they might be trying to lay low for a while before switching it out eyes

Please edit your comments and put the domain in ` so it is not linked (maybe also add a [.] after the www)

Thanks for suggestion, edited all comments with links.

[Yuki2718]

@iam-py-test We internally discussed. Unless the site directly endangers user by malware or scam, we don't block the site.

[iam-py-test]

@iam-py-test We internally discussed. Unless the site directly endangers user by malware or scam, we don't block the site.

Does anyone know why Firefox and my Antivirus flagged the 2.2.2 version from GitHub as suspicious but not the one from https://www.whynotwin11.com/#download-buttons-os even thought they are identical.

[krystian3w]

Rare downloads: https://blog.mozilla.org/security/2016/08/01/enhancing-download-protection-in-firefox/

[krystian3w]

Because nobody reported to Google this page/urls as scam?

[Trinitek]

Noticed that whynotwin11.org does not redirect properly, but www.whynotwin11.org does.

[Kadantte]

Noticed that whynotwin11.org does not redirect properly, but www.whynotwin11.org does.

I think it better if he uses Cloudflare Page Rules It's for free!

[rcmaehl]

Noticed that whynotwin11.org does not redirect properly, but www.whynotwin11.org does.

Shows both working for me??? Unless I did something wrong. Tips are appreciated

[botflakes]

Redirecting fine on my end too

[Trinitek]

My version of Firefox wants to navigate to http://whynotwin11.org, but you only have a redirect for https. I would have to explicitly specify https or use the www version.

[rcmaehl]

My version of Firefox wants to navigate to http://whynotwin11.org, but you only have a redirect for https. I would have to explicitly specify https or use the www version.

Any way to have http redirect to https so I can adjust the filters. Or a single rule that captures http, https, www., and whynotwin11.org?

[Trinitek]

I don't know about the specific tool you're using, but I would try dropping the scheme so it's just whynotwin11.org, just like how the www entry doesn't have http or https. You may be able to specify a subdomain wildcard like *.whynotwin11.org so you only need one entry, but again that depends on your tool.

[Trinitek]

By the way... your www rule works for both http and https, so I do believe dropping the scheme off the non-www rule will do the trick.

[FadeMind]

Defender SmartScreen (in Edge Chromium) blocked

[FadeMind]

https://www.whynotwin11.com

[iam-py-test]

https://www.whynotwin11.com

Ok. It must have been an issue on my end. Now I can reproduce the block

[spirillen]

Noticed that whynotwin11.org does not redirect properly, but www.whynotwin11.org does.

Shows both working for me??? Unless I did something wrong. Tips are appreciated

First off, you need to use 308 (get = get), not 301(get become post) for redirect

server {
    if ($host = mypdns.org) {
        return 308 https://$host$request_uri;
    } # managed by Certbot

        listen IP:80;
        server_name mypdns.org;
        return 308 https://$host$request_uri;
}

server {
    if ($host = mypdns.com) {
        return 308 https://$host$request_uri;
    } # managed by Certbot

         listen IP:80;
        access_log off;
        server_name mypdns.com;
        return 308 https://$host$request_uri;
}

server {
        listen IP:443 ssl http2;
        server_name www.mypdns.org www.mypdns.com mypdns.com;
        return 308 https://mypdns.org$request_uri;
        access_log off;
       ....
}

server {
        listen  IP:443 ssl http2;
        root /storage01/www/mypdns.org;
        server_name mypdns.org;
       ....
|

etc etc

Oh yeah, you should also choose 1 of the www or !www as using both is bad

[Kadantte]

My version of Firefox wants to navigate to http://whynotwin11.org, but you only have a redirect for https. I would have to explicitly specify https or use the www version.

Any way to have http redirect to https so I can adjust the filters. Or a single rule that captures http, https, www., and whynotwin11.org?

CD lets you force HTTPS too! Make your SSL/TLS a FULL then in Edge Certificates turn on Always Use HTTPS Cloudflare will redirect are the requests over http to https and you might want to turn on Automatic HTTPS Rewrites too. ppl think www is important but it's a subdomain for your website actually! You can create a CNAME that points to your domain root check the picture below!

Also, my two links work just fine with or without www also even if you use http it will redirect you to https https://kadantte.moe/ - https://www.kadantte.moe/ - http://kadantte.moe/ - http://www.kadantte.moe/

[spirillen]

CD lets you force HTTPS too! Make your SSL/TLS a FULL then

That's bad for performance as it is only redirecting. HTTP is cache-able HTTPs is not

HTTP redirect to one of www or !www for GH is the optimal for performance.

[Kadantte]

CD lets you force HTTPS too! Make your SSL/TLS a FULL then

That's bad for performance as it is only redirecting. HTTP is cache-able HTTPs is not

HTTP redirect to one of www or !www for GH is the optimal for performance.

This is just URL redirect so I don't see the performance anywhere here! just a domain working as Backlink nothing fancy to look for performance also CD its performance is way better than GH pages! But whatever...

[iam-py-test]

You should add HTTPS or else someone can redirect it to somewhere else (I.e. a malware domain) Security is more important than performance

[Kadantte]

You should add HTTPS or else someone can redirect it to somewhere else (I.e. a malware domain) Security is more important than performance

This why I recommended Cloudflare for Free and more secure!

[spirillen]

CD lets you force HTTPS too! Make your SSL/TLS a FULL then

That's bad for performance as it is only redirecting. HTTP is cache-able HTTPs is not HTTP redirect to one of www or !www for GH is the optimal for performance.

This is just URL redirect so I don't see the performance anywhere here! just a domain working as Backlink nothing fancy to look for performance also CD its performance is way better than GH pages! But whatever...

It all in the header :smirk:

curl -I 'http://whynotwin11.org'

HTTP/1.1 301 Moved Permanently
Date: Tue, 29 Jun 2021 17:08:57 GMT
Cache-Control: max-age=3600
Expires: Tue, 29 Jun 2021 18:08:57 GMT
Location: https://github.com/rcmaehl/WhyNotWin11/
cf-request-id: 0afa57e5c9000010ad4a279000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=yXipVu%2B59itoOG3YfJOtNQlRQ4SZScWWhVJzt8XUr5dt0R9XrRXI07HSa6wv2Ca113AscnT6UMtIHddguMsoSLinMs1JdnehcFwxBk7Hah3ADFP6kodbCuwIYraY"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 6670c282dc0210ad-CPH
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
X-Cache: MISS from 
X-Cache-Lookup: MISS from firewall.matrix.lan:3128
Via: 1.1 firewall.matrix.lan (squid/4.15)
Connection: keep-aliv

This is a full header for a request true SquidProxy. Now lets brake it down to what is interesting do to the performance

HTTP/1.1 301 Moved Permanently
Cache-Control: max-age=3600
Expires: Tue, 29 Jun 2021 18:08:57 GMT

X-Cache: MISS from 
X-Cache-Lookup: MISS from firewall.matrix.lan:3128

On the second run you'll see it is now cached. (the same goes for most modern browsers actually)

X-Cache: HIT from firewall.matrix.lan
X-Cache-Lookup: HIT from firewall.matrix.lan:3128

Here is then the same, but over httpS, notice: there are no CACHE info, as secure protocols don't get cached

url -I 'https://whynotwin11.org'
HTTP/2 301 
date: Tue, 29 Jun 2021 17:12:47 GMT
cache-control: max-age=3600
expires: Tue, 29 Jun 2021 18:12:47 GMT
location: https://github.com/rcmaehl/WhyNotWin11/
cf-request-id: 0afa5b6818000010c50325a000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=blAKQVmDsghJK7ejbX9OOUXkggtC%2BaYHo8PeJoqwB4pwDaljfpY8%2FrAofeNwS0QeMBsQU3We69vCDuZAB3%2F%2BZ16SuQZT%2FvTEv5Olok%2BLuERWbJirR8EQ%2FStesrMF"}],"group":"cf-nel","max_age":604800}
nel: {"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 6670c820297c10c5-CPH
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400

You See the benefit now?

[iam-py-test]

CD lets you force HTTPS too! Make your SSL/TLS a FULL then

That's bad for performance as it is only redirecting. HTTP is cache-able HTTPs is not HTTP redirect to one of www or !www for GH is the optimal for performance.

This is just URL redirect so I don't see the performance anywhere here! just a domain working as Backlink nothing fancy to look for performance also CD its performance is way better than GH pages! But whatever...

It all in the header 😏

curl -I 'http://whynotwin11.org'

HTTP/1.1 301 Moved Permanently
Date: Tue, 29 Jun 2021 17:08:57 GMT
Cache-Control: max-age=3600
Expires: Tue, 29 Jun 2021 18:08:57 GMT
Location: https://github.com/rcmaehl/WhyNotWin11/
cf-request-id: 0afa57e5c9000010ad4a279000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=yXipVu%2B59itoOG3YfJOtNQlRQ4SZScWWhVJzt8XUr5dt0R9XrRXI07HSa6wv2Ca113AscnT6UMtIHddguMsoSLinMs1JdnehcFwxBk7Hah3ADFP6kodbCuwIYraY"}],"group":"cf-nel","max_age":604800}
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 6670c282dc0210ad-CPH
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
X-Cache: MISS from 
X-Cache-Lookup: MISS from firewall.matrix.lan:3128
Via: 1.1 firewall.matrix.lan (squid/4.15)
Connection: keep-aliv

This is a full header for a request true SquidProxy. Now lets brake it down to what is interesting do to the performance

HTTP/1.1 301 Moved Permanently
Cache-Control: max-age=3600
Expires: Tue, 29 Jun 2021 18:08:57 GMT

X-Cache: MISS from 
X-Cache-Lookup: MISS from firewall.matrix.lan:3128

On the second run you'll see it is now cached. (the same goes for most modern browsers actually)

X-Cache: HIT from firewall.matrix.lan
X-Cache-Lookup: HIT from firewall.matrix.lan:3128

Here is then the same, but over httpS, notice: there are no CACHE info, as secure protocols don't get cached

url -I 'https://whynotwin11.org'
HTTP/2 301 
date: Tue, 29 Jun 2021 17:12:47 GMT
cache-control: max-age=3600
expires: Tue, 29 Jun 2021 18:12:47 GMT
location: https://github.com/rcmaehl/WhyNotWin11/
cf-request-id: 0afa5b6818000010c50325a000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=blAKQVmDsghJK7ejbX9OOUXkggtC%2BaYHo8PeJoqwB4pwDaljfpY8%2FrAofeNwS0QeMBsQU3We69vCDuZAB3%2F%2BZ16SuQZT%2FvTEv5Olok%2BLuERWbJirR8EQ%2FStesrMF"}],"group":"cf-nel","max_age":604800}
nel: {"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 6670c820297c10c5-CPH
alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400

You See the benefit now?

Why is better performance needed? The only point of this domain is to (correct me if I am wrong) redirect lost people to GitHub and prevent it from being bought up by malware authors. (Also may have the effect of redirecting people who made a typo away from the .com) HTTPS prevents tampering, evil ISPs from spying, and also increases user trust.